CYBR650

Week 12

IT Threats Over Time

Most things change over time and threats are no exception. The International Organization for Standardization (ISO) definition of IT risk is; the potential that a given threat will exploit vulnerabilities of an asset or group of assets and thereby cause harm to the organization. What were cyber threats several years ago have been mitigated by the software companies with security updates. Cyber criminals will adapt their approach as each threat is closed. They will find new ways to attack as technology changes.

Company policy changes over time, this can change the types of threats a company can go through. ARCON Techsolutions stated “Moreover, business requirements, vulnerabilities and threats can change over the time. Thus continuous governance is a must.” (Arconnet) If a company changes its policies or business directions could cause a whole new series of threats. For instance a company starts deploying mobile applications to market their products could open them up to a whole new type of threats they had never thought of before.

There are other threats that businesses have had to adapt to over time. Public opinion can present a greater threat than many physical threats ever could. A data breach has caused some companies to go out of business or lose millions in sales. If the public sees a company in a negative way their sales drop, so they have to anticipate public opinion. Companies have public affair department that will respond to public opinion threats and have mitigation plans in place for what they think are most probable.

Reference

Arconnet. (n.d.). IT Risk Management – What’s the catch, what to watch. Retrieved from Arcon: https://arconnet.com/Whitepapers/IT-risk-management.pdf

.

CYBR650

Week 10

Let’s Encrypt Issues Fraudulent “PayPal Certificates

Let’s Encrypt is a company that offers free Certificate Authority (CA) certificates allowing websites the ability to use Transport Layer Security (TLS) to protect users from eaves dropping thus protecting their in transit data. The company was launched in December 2015 and was out of Beta testing in April 2016. Almost 15,000 fraudulent PayPal certificate were issue by Let’s Encrypt by November 2016, most used for Phishing attacks.

According to Ionut Arghire from Security Week magazine “Even before being launched, Let’s Encrypt fueled fears that it could be abused by cybercriminals for their nefarious purposes. What’s more, the CA claims that it is not its job to stop malicious sites from using its certificates, meaning that phishers can use its certificates without fearing they might be banned” (Arghire, 2017) With the easy access to the certificates fake PayPal CA’s are increasing monthly. It’s estimated that 2,530 were issued in December 2016, 3,995 in January 2017 and 5,101 in February 2017.

The number sound very alarming but according to Vincent Lynch an encryption expert “Phishing sites usually have a very short lifespan, mainly because they tend to be flagged and blocked rather fast, which explains why cybercriminals tend to register as many of them as possible. Making them look as legitimate as possible also helps these sites stay alive for longer. The various initiatives encouraging HTTPS are likely to appeal to phishers as well. There are a number of performance benefits (such as HTTP/2) only available to sites using HTTPS. In addition, sites using valid SSL certificates are given trusted UI indicators by browsers (the padlock icon in all browsers, the “Secure” label in Chrome) which make a phishing site look more legitimate,” (Arghire, 2017)

References

Arghire, I. (2017, Mar 27). Let's Encrypt Issues 15,000 Fraudulent "PayPal" Certificates Used for Cybercrime. Retrieved from Security Week: http://www.securityweek.com/lets-encrypt-issues-15000-fraudulent-paypal-certificates-used-cybercrime

CYBR650

Week 9

OAuth Rules Are Strengthened By Google To Combat Phishing Attacks

Gmail users were attacked during the week of May 1, 2017. Google blocks millions of phishing attacks each day, but the latest incident showed googles system isn’t fool proof. The attack successfully tricked Gmail users into granting access to their contacts to a fake third party tool called Google Doc’s. Once the attacker was successful they were able to resend the phishing attack to everyone in the victims contact list. The phishing email seemed to come from a trusted person and claimed to have a link the sender wanted to share via a link to Google Docs.

Google was able to spot the attack and block it fairly quickly, but the attacker used OAuth which prevented the victim from being able to protect themselves even by changing their password. The only countermeasure was to remove permissions from the offending app was able to fix the issue. Google stated “We’re committed to keeping your Google Account safe, and have layers of defense in place to guard against sophisticated attacks of all types, from anti-hijacking systems detecting unusual behavior, to machine learning models that block malicious content, to protection measures in Chrome and through Safe Browsing that guard against visiting suspicious sites” (Arghire, 2017)

Google has announced it is updating its policies on OAuth application to help prevent this type of attack from happening in the future. They are also updating their anti-spam system and increasing their monitoring of suspicious sites. According to Google, “less than 0.1% of Gmail users were impacted by last week’s “Google Docs” incident, but, as Talos’ Sean Baird and Nick Biasini point out, this proof-of-concept did reveal that a convincing Google phish via OAuth is possible.” (Arghire, 2017)

References

Arghire, I. (2017, May 09). Google Tightens OAuth Rules to Combat Phishing. Retrieved from Security Week: http://www.securityweek.com/google-tightens-oauth-rules-combat-phishing

CYBR650

Week 8

SS7 vulnerabilities used to steal money from bank accounts

Cyber hackers have found a vulnerability in the SS7 protocol allowing them to steal money from bank accounts.  SS7 which stands for Signal System 7 is a protocol used in telephony telecommunications worldwide. It provides most of the world the ability to make call from different networks. It was developed in the mid 1970’s and does not provide any protections or requires any authentication making it easy for third parties to connect to the SS7 network.

German newspaper Süddeutsche Zeitung reported on Wednesday May 3, 2017 hackers had used a vulnerability in SS7 to get around the two-factor authentication (2FA) and were able to complete unauthorized wire transfers. The attackers most likely used phishing techniques to gain access to bank account information. According to Eduard Kovacs from Security Week magazine “and then launched an SS7 attack to obtain the mobile transaction authentication number (mTAN) sent by the bank via SMS. mTANs are one-time passwords used by banks to confirm financial transactions… According to Süddeutsche Zeitung, the attackers forwarded the SMS messages containing the mTAN to a number they controlled, allowing them to complete the wire transfers they had initiated from victims’ accounts.” (Kovacs, 2017)

References

Kovacs, E. (2017, May 4). Hackers Exploit SS7 Flaws to Loot Bank Accounts. Retrieved from Security Week: http://www.securityweek.com/hackers-exploit-ss7-flaws-loot-bank-accounts

CYBR650

Week-7

Possible Payment Card Breach – Chipotle

The popular restaurant Chipotle Mexican Grill with over 2000 locations has announced its payment processing system was breached. A Chipotle spokesperson said the company discovered unauthorized activity on its network. They are aggressively investigating the breach and have only provided limited information for now. Initial news shows the intruders may have accessed information from cards used at their restaurants between March 24 and April 18, 2017.

Law enforcement and cybersecurity firms have been notified along with its payment processing firm. Security enhancements have been implemented and they believe the vulnerability has been contained. Chipotle spokesperson stated “Consistent with good practices, consumers should closely monitor their payment card statements … If anyone sees an unauthorized charge, they should immediately notify the bank that issued the card. Payment card network rules generally state that cardholders are not responsible for such charges.” (Kovacs, 2017) There have been several other chain restaurants reporting data breaches in just the past few months to include; Shoney’s, CiCi’s, Arby’s, Wendy’s and Noodles & Company.

References

Kovacs, E. (2017, April 26). Chipotle Investigating Payment Card Breach. Retrieved from Security Week: http://www.securityweek.com/chipotle-investigating-payment-card-breach

CYBR650-T302
Week-6

Threat of Unicode Domain Spoofing Fix Addressed For Chrome

On Wednesday April 19, 2017 Google released Chrome 58 to help address 29 known vulnerabilities. One of these vulnerabilities was known as “Unicode Domain Phishing”. The issue resides in Unicode characters in hostnames through what is called Punycode. Punycode can take characters and change them in a way to allow a hacker to spoof legitimate websites for the purpose of phishing attacks.  According to the Security week article by Ionut Arghire “The issue was also demonstrated by Avanan researchers in December 2016, when they stumbled upon live phishing attacks targeting Office 365 business email users. Using Unicode characters, attackers could create a site looking like http://www.pаypal.com/, but which actually resolved to http://www.xn--pypal-4ve.com/, thus bypassing Office 365’ anti-phishing defenses, the researchers explained.” (Arghire, 2017) 

References

Arghire, I. (2017, April 20). Chrome Addresses Threat of Unicode Domain Spoofing. Retrieved from Security Week: http://www.securityweek.com/chrome-addresses-threat-unicode-domain-spoofing

CYBR650-T302
Week 5

Magento Flaw Exposes Vulnerability for Online Stores

Magento is an e-commerce platform that is vulnerable to hackers. It is used by more than 250,000 vendors worldwide to include Burger King and Coca-Cola. The vulnerability was found in November by the company DefenseCode. When DefenseCode notified Magento, they were told they were aware but it had not been addressed. After several attempts to get status on the potentially serious issue from Magento failed, DefenseCode went public with their findings.

          A new feature which allows users to add Vimeo video content to existing products can leave the system open to an attack. According to the article by Eduard Kovacs “This request method can be changed from POST to GET, allowing an attacker to launch a cross-site request forgery (CSRF) attack and upload an arbitrary file. While invalid image files are not allowed, the file is still saved on the server before it is validated.” (Kovacs, 2017)    Researchers have determined if the attacker is successful, they can gain complete control of the targeted system.  

References

Kovacs, E. (2017, April 14). Unpatched Magento Flaw Exposes Online Stores to Attacks. Retrieved from Securityweek.com: http://www.securityweek.com/unpatched-magento-flaw-exposes-online-stores-attacks