Daily Archives: November 6, 2019

#cybersecurity | #infosec | Smashing Security #153: Cybercrime doesn’t pay (but Uber does)

Source: National Cyber Security – Produced By Gregory Evans

The cybercrime lovebirds who hijacked Washington DC’s CCTV cameras in the run-up to Donald Trump’s inauguration, the truffle-snuffling bankers at the centre of an insider-trading scandal, and the hackers that Uber paid hush money to hide a security breach.

All this and much more is discussed in the latest edition of the award-winning “Smashing Security” podcast by computer security veterans Graham Cluley and Carole Theriault, joined this week by Lisa Forte.

Source link

The post #cybersecurity | #infosec | Smashing Security #153: Cybercrime doesn’t pay (but Uber does) appeared first on National Cyber Security.

View full post on National Cyber Security

hacker proof, #hackerproof

Corporate Cyber Espionage’s Channel …

Source: National Cyber Security – Produced By Gregory Evans

Proactive defense and automation can help your company deal with scale and prioritize risks in order to more efficiently fight cyber espionage.

The number of corporate espionage attacks is increasing. From advanced persistent threat attacks siphoning off proprietary research and intellectual property to fake social media accounts used for social engineering attacks to launch malware, enterprises’ valuable information and trade secrets are being compromised.

Corporate espionage tactics have evolved with the digital revolution; criminals no longer need to break into a physical building to steal a company’s crown jewels. The threat landscape for businesses has expanded alongside the adoption of new social media and digital channels. Social media platforms and channels have now become business essentials, and bad actors have taken notice.

Many of these social media platforms lie outside the traditional cybersecurity perimeter, enabling bad actors to more easily access an individual’s, enterprise’s, or government’s information without having to worry about getting caught by traditional network security protections. For example, credible reports show that WeChat has been involved in cyber espionage campaigns, with the Chinese government using the platform to collect intelligence, monitor activity, and recruit potential spies. Beijing has even developed Trojan spyware to be distributed through WeChat, and the app has been used as a backdoor to hijack user’s phones.

We’ve also seen damaging corporate cyber espionage campaigns conducted through LinkedIn. Last December, Operation Sharpshooter was found to be targeting nuclear, defense, energy, and financial companies, with the ultimate goal to penetrate security defenses and steal intellectual property. One of the ways the bad actors behind this campaign approached their targets was by posing as job recruiters and using messaging apps for outreach. The Iranian-linked APT34 group recently conducted a similar attack through LinkedIn. Hackers phished employees at target industries with malicious documents, delivering them through LinkedIn mail. These efforts obtained industry insider information and data. 

These threats are so severe that this summer the FBI warned government contractors that foreign intelligence officers may target them using social media  to gather information and conduct espionage campaigns. 

Why There Is More Risk for Cyber Espionage Through Social Media

People are more trusting online. The risks that email poses to businesses are well established. Companies regularly educate their employees about phishing emails, have monitoring systems in place, and penetration test their employees. However, user behavior is different online; individuals tend to trust more and overshare when they’re using social media. Without proper awareness and security measures in place, it’s easier to leverage social engineering to target victims with personal attacks. 

Expanded attack surface creates gaps in cyber defenseSocial media platforms lie outside the traditional cybersecurity perimeter. This is problematic because security and compliance teams have limited visibility into the social channels that employees are using. Even if they block channels such as Facebook through a firewall, employees can get around that by logging in on their phones.

Attacks are difficult to detectMany enterprises lack visibility into the accounts and pages that extend their attack surface. If an employee’s personal LinkedIn account is compromised because that person clicks on a malicious link while on the mobile app, he or she can compromise the entire company’s network and the security team will have no idea. The bad actor that injected the malicious code could gain access to the company network and siphon off trade secrets without detection.

Steps to Combat Corporate Espionage and Mitigate Risks

Gain visibility into known and unknown social media assetsYou can’t protect what you can’t see. The first step is to gain full visibility into your organization’s assets. Identify every brand account, including both accounts and pages for the company, individual departments, executives, and personnel. A clear inventory of social pages and accounts will clarify your company’s potential attack surface.

Establish control over brand assetsAfter you’ve brought your social media assets under your protection, establish control. A robust cybersecurity strategy starts with the principle of least privilege, by which users only have access to the systems and data that are necessary for their jobs. The same principle should apply to social media.

Respond to threats in real timeConflict can escalate in seconds on social media. Whether an attacker attempts to take over a Twitter account, a botnet is summoned to downvote videos on YouTube, or a bad actor steals an employee’s credentials to gain access to other channels, you need a security protocol to stop the attack before it happens. Real-time detection of malicious content or account takeover attacks is the first step. Ensure you can lock down accounts, quarantine malicious content, or revert account profiles when a  compromise happens. 

Protect assets with a proactive defenseYour enterprise should proactively monitor cyber threats or risks to your brand from bad actors and imposter accounts. This includes scanning the Dark Web and searching in overlooked areas such as app stores and e-commerce sites.

Businesses must extend their perimeter to include social media, which remains invisible to most security teams. To make it happen, you’ll need a way to monitor every bit of information that leaves your business through both private and public channels. Your goal is to reduce risk and mitigate attacks before they start.

Often the biggest challenge is coping with the scale of risks. Social media is vast. It’s impossible for administrators to monitor every post, share, like, and response manually. It’s imperative you know immediately when something’s amiss and can take action quickly with automation. Finding out your credentials were compromised yesterday is too late.

Proactive defense and automation can help your teams cope with scale and prioritize the risks that matter to stop cyber espionage.

Related Content:

As the President, CTO, and Co-Founder of SafeGuard Cyber, Mr. Freire is responsible for the development and continuous innovation of SafeGuard Cyber’s enterprise platform, which enables global enterprise customers to extend cyber protection to social media and digital … View Full Bio

More Insights

Click here for the Source link

The post Corporate Cyber Espionage’s Channel … appeared first on National Cyber Security.

View full post on National Cyber Security

hacker proof, #hackerproof

Siemens PLC Feature Can Be Exploited for Evil

Source: National Cyber Security – Produced By Gregory Evans

A hidden feature in some newer models of the vendor’s programmable logic controllers leaves the devices open to attack. Siemens says it plans to fix it.

An undocumented access feature in some newer models of Siemens programmable logic controllers (PLCs) can be used as both a weapon by attackers as well as a forensic tool for defenders, researchers have discovered.

Researchers at Ruhr University Bochum in Germany stumbled across the hardware-based special access feature in Siemens’ S7-1200 PLCs while studying its bootloader, which, among other things, handles software updates and verifies the integrity of the PLC’s firmware when the device starts up.

They found that an attacker using the special access feature could bypass the bootloader’s firmware integrity check within a half-second window when the PLC starts up and load malicious code to wrest control of the PLC’s processes.

Just why the special access feature resides in the PLCs remains a mystery. There have been cases of embedded devices found harboring hidden maintenance ports left behind by vendors, for example, but the researchers were baffled by the existence of this one in the Siemens PLCs.

“We don’t know why [Siemens has] this functionality,” says Ali Abbasi, a research scholar at Ruhr-University Bochum, who, along with PhD student Tobias Scharnowski and professor Thorsten Holz, worked on the research. “Security-wise, it’s wrong to have such a thing because you can also read and write to memory and dump the content of memory from the RAM.”

The researchers shared their findings with Siemens, which says it’s working on a fix for the vulnerability.

“Siemens is aware of the research from Ruhr University Bochum concerning hardware-based special access in SIMATIC S7-1200 CPUs. Siemens experts are working on a solution to resolve the issue. Siemens plans to publish further information regarding the vulnerability with a security advisory,” the company said in a statement provided to Dark Reading. “Customers will be informed using the usual Siemens ProductCERT communication channels.” 

A key question is whether the fix requires a hardware replacement rather than a software update. When asked whether the PLC fix would be a software or hardware update, Siemens said its “experts are evaluating the alternatives.”

But it turns out there is a silver lining with the Siemens PLC special access feature: “It’s also useful for people like us who protect these devices. It provides for memory forensics of the PLC,” Abbasi says.

The researchers were able to use the special access feature to view the content of the PLC memory, which means a plant operator could spot malicious code that may have been planted on his or her device. “Siemens doesn’t let you see the content of the [PLC] memory, but you can do that with this special access feature,” Abbasi says.

The researchers built a tool that performs this forensic memory dump, which they will release at Black Hat Europe next month in London when they will present their research findings

What They Did
The researchers were able to write their own code to the PLC’s flash chip via its firmware update feature without the bootloader’s checksum feature detecting it. The question, they say, is how to mitigate this type of attack since malicious code would be embedded into the flash memory of the bootloader.

“It really depends if Siemens can fix it via a software update or not. If they can with software, it also means the attacker can override the contents of the bootloader, which means there’s no way to fix it,” Abbasi says.

That’s one reason the researchers wanted to release their tool for dumping contents of the firmware. “That then means an attacker can’t hide his existence” in the PLC, Abbasi says.

An attacker with physical access to the port, or by rigging the PLC while it’s being manufactured in the supply chain, could use this technique to read and write to the memory of the hardware. That would allow him or her to manipulate the operation of the PLC, providing phony measurements or other instrumentation data, for example.

“One of the main issues is there’s this notion of trust in a newly delivered PLC,” Scharnowski says.

He notes that it’s not the special access feature itself that allows you to read and write to the flash. “It’s a combination of features that if you put them together in a clever way, you can use them to get your own code execution on it,” Scharnowski says. “If you can do that, then you can control the PLC fully.”

Props for Siemens Security
The researchers say they chose to study Siemens’ PLCs because it’s one of the market leaders and also because there’s little known publicly about the PLC’s operating system, Adonis.

While many embedded systems today remain poorly secured, they say Siemens has done more with security than some other vendors.

“Honestly, if you compare them to other PLCs, they are doing very well. They keep adding features and security features that we have to bypass,” Abbasi says. “They are doing a lot of good things that place them ahead of others in the embedded security domain.”

Even so, the researchers maintain there’s a lot more work to do in protecting plant operators from attackers or supply chain corruption of their PLCs. If there’s a special feature like the one in Siemens PLCs, they say, the vendor should inform their customers. “Customers deserve to know so in their risk calculation they can consider this risk as well,” Abbasi says.

The Ruhr University Bochum team’s work is the latest in a string of PLC research projects. This summer another team of security researchers built a phony engineering workstation that was able to dupe and alter operations of the Siemens S7 programmable logic controller (PLC) after discovering that modern S7 PLC families running the same firmware also share the same public cryptographic key. 

And in 2016, Abbasi, then a Ph.D. candidate at University of Twente, Netherlands, and Majid Hashemi, a system programmer and independent security researcher at the time of their research, created a PLC rootkit that could operate on any brand of PLC.

Related Content:

This free, all-day online conference offers a look at the latest tools, strategies, and best practices for protecting your organization’s most sensitive data. Click for more information and, to register, here.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise … View Full Bio

More Insights

Click here for the news story.

The post Siemens PLC Feature Can Be Exploited for Evil appeared first on National Cyber Security.

View full post on National Cyber Security

hacker proof, #hackerproof

#cybersecurity | #hackerspace | Why PAM Should Be a CISO’s Top Priority

Source: National Cyber Security – Produced By Gregory Evans

Privileged access management (PAM) consists of strategies and technologies for exerting control over the elevated (“privileged”) access and permissions for users, accounts, processes and systems across an IT environment. By implementing an appropriate level of privileged access controls, PAM helps organizations condense their organization’s attack surface and prevent, or at least mitigate, the damage arising from external attacks as well as from insider wrongdoing or negligence.

While privilege management encompasses many strategies, the central goal is the enforcement of least privilege, which is defined as the restriction of access rights and permissions for users, accounts, applications, systems, devices (such as IoT) and computing processes to the absolute minimum necessary to perform routine, authorized activities.

PAM has drastically changed the way enterprises protect access to critical systems. Using credential vaults and other session control tools, PAM has allowed managers to maintain privileged identities while significantly decreasing the risk of their compromise. By centralizing privileged credentials in one place, PAM systems can ensure a high level of security for them, control who is accessing them, log all accesses and monitor for any suspicious activity.

Both industry leaders Forrester and Gartner have placed privileged management as a top priority for CISOs. And it’s no wonder why. PAM protects a company’s unique digital identities that, if stolen, could bring the entire organization to a complete halt.

Privileged Credentials are Attractive Targets

The very existence of privileged accounts creates a huge liability. If a single digital identity can grant such unrestricted access, the consequences of that identity being exposed could be catastrophic. Hackers are aware of that fact, which is why powerful users are privileged targets.

Privileged user accounts are significant targets for attack as they have elevated permissions, access to confidential information and the ability to change settings. If compromised, organizational operations will be (Read more…)

Source link

The post #cybersecurity | #hackerspace |<p> Why PAM Should Be a CISO’s Top Priority <p> appeared first on National Cyber Security.

View full post on National Cyber Security

hacker proof, #hackerproof