CYBR650

Week 12

IT Threats Over Time

Most things change over time and threats are no exception. The International Organization for Standardization (ISO) definition of IT risk is; the potential that a given threat will exploit vulnerabilities of an asset or group of assets and thereby cause harm to the organization. What were cyber threats several years ago have been mitigated by the software companies with security updates. Cyber criminals will adapt their approach as each threat is closed. They will find new ways to attack as technology changes.

Company policy changes over time, this can change the types of threats a company can go through. ARCON Techsolutions stated “Moreover, business requirements, vulnerabilities and threats can change over the time. Thus continuous governance is a must.” (Arconnet) If a company changes its policies or business directions could cause a whole new series of threats. For instance a company starts deploying mobile applications to market their products could open them up to a whole new type of threats they had never thought of before.

There are other threats that businesses have had to adapt to over time. Public opinion can present a greater threat than many physical threats ever could. A data breach has caused some companies to go out of business or lose millions in sales. If the public sees a company in a negative way their sales drop, so they have to anticipate public opinion. Companies have public affair department that will respond to public opinion threats and have mitigation plans in place for what they think are most probable.

Reference

Arconnet. (n.d.). IT Risk Management – What’s the catch, what to watch. Retrieved from Arcon: https://arconnet.com/Whitepapers/IT-risk-management.pdf

.

CYBR650

Week 10

Let’s Encrypt Issues Fraudulent “PayPal Certificates

Let’s Encrypt is a company that offers free Certificate Authority (CA) certificates allowing websites the ability to use Transport Layer Security (TLS) to protect users from eaves dropping thus protecting their in transit data. The company was launched in December 2015 and was out of Beta testing in April 2016. Almost 15,000 fraudulent PayPal certificate were issue by Let’s Encrypt by November 2016, most used for Phishing attacks.

According to Ionut Arghire from Security Week magazine “Even before being launched, Let’s Encrypt fueled fears that it could be abused by cybercriminals for their nefarious purposes. What’s more, the CA claims that it is not its job to stop malicious sites from using its certificates, meaning that phishers can use its certificates without fearing they might be banned” (Arghire, 2017) With the easy access to the certificates fake PayPal CA’s are increasing monthly. It’s estimated that 2,530 were issued in December 2016, 3,995 in January 2017 and 5,101 in February 2017.

The number sound very alarming but according to Vincent Lynch an encryption expert “Phishing sites usually have a very short lifespan, mainly because they tend to be flagged and blocked rather fast, which explains why cybercriminals tend to register as many of them as possible. Making them look as legitimate as possible also helps these sites stay alive for longer. The various initiatives encouraging HTTPS are likely to appeal to phishers as well. There are a number of performance benefits (such as HTTP/2) only available to sites using HTTPS. In addition, sites using valid SSL certificates are given trusted UI indicators by browsers (the padlock icon in all browsers, the “Secure” label in Chrome) which make a phishing site look more legitimate,” (Arghire, 2017)

References

Arghire, I. (2017, Mar 27). Let's Encrypt Issues 15,000 Fraudulent "PayPal" Certificates Used for Cybercrime. Retrieved from Security Week: http://www.securityweek.com/lets-encrypt-issues-15000-fraudulent-paypal-certificates-used-cybercrime

CYBR650

Week 9

OAuth Rules Are Strengthened By Google To Combat Phishing Attacks

Gmail users were attacked during the week of May 1, 2017. Google blocks millions of phishing attacks each day, but the latest incident showed googles system isn’t fool proof. The attack successfully tricked Gmail users into granting access to their contacts to a fake third party tool called Google Doc’s. Once the attacker was successful they were able to resend the phishing attack to everyone in the victims contact list. The phishing email seemed to come from a trusted person and claimed to have a link the sender wanted to share via a link to Google Docs.

Google was able to spot the attack and block it fairly quickly, but the attacker used OAuth which prevented the victim from being able to protect themselves even by changing their password. The only countermeasure was to remove permissions from the offending app was able to fix the issue. Google stated “We’re committed to keeping your Google Account safe, and have layers of defense in place to guard against sophisticated attacks of all types, from anti-hijacking systems detecting unusual behavior, to machine learning models that block malicious content, to protection measures in Chrome and through Safe Browsing that guard against visiting suspicious sites” (Arghire, 2017)

Google has announced it is updating its policies on OAuth application to help prevent this type of attack from happening in the future. They are also updating their anti-spam system and increasing their monitoring of suspicious sites. According to Google, “less than 0.1% of Gmail users were impacted by last week’s “Google Docs” incident, but, as Talos’ Sean Baird and Nick Biasini point out, this proof-of-concept did reveal that a convincing Google phish via OAuth is possible.” (Arghire, 2017)

References

Arghire, I. (2017, May 09). Google Tightens OAuth Rules to Combat Phishing. Retrieved from Security Week: http://www.securityweek.com/google-tightens-oauth-rules-combat-phishing

CYBR650

Week 8

SS7 vulnerabilities used to steal money from bank accounts

Cyber hackers have found a vulnerability in the SS7 protocol allowing them to steal money from bank accounts.  SS7 which stands for Signal System 7 is a protocol used in telephony telecommunications worldwide. It provides most of the world the ability to make call from different networks. It was developed in the mid 1970’s and does not provide any protections or requires any authentication making it easy for third parties to connect to the SS7 network.

German newspaper Süddeutsche Zeitung reported on Wednesday May 3, 2017 hackers had used a vulnerability in SS7 to get around the two-factor authentication (2FA) and were able to complete unauthorized wire transfers. The attackers most likely used phishing techniques to gain access to bank account information. According to Eduard Kovacs from Security Week magazine “and then launched an SS7 attack to obtain the mobile transaction authentication number (mTAN) sent by the bank via SMS. mTANs are one-time passwords used by banks to confirm financial transactions… According to Süddeutsche Zeitung, the attackers forwarded the SMS messages containing the mTAN to a number they controlled, allowing them to complete the wire transfers they had initiated from victims’ accounts.” (Kovacs, 2017)

References

Kovacs, E. (2017, May 4). Hackers Exploit SS7 Flaws to Loot Bank Accounts. Retrieved from Security Week: http://www.securityweek.com/hackers-exploit-ss7-flaws-loot-bank-accounts

CYBR650

Week-7

Possible Payment Card Breach – Chipotle

The popular restaurant Chipotle Mexican Grill with over 2000 locations has announced its payment processing system was breached. A Chipotle spokesperson said the company discovered unauthorized activity on its network. They are aggressively investigating the breach and have only provided limited information for now. Initial news shows the intruders may have accessed information from cards used at their restaurants between March 24 and April 18, 2017.

Law enforcement and cybersecurity firms have been notified along with its payment processing firm. Security enhancements have been implemented and they believe the vulnerability has been contained. Chipotle spokesperson stated “Consistent with good practices, consumers should closely monitor their payment card statements … If anyone sees an unauthorized charge, they should immediately notify the bank that issued the card. Payment card network rules generally state that cardholders are not responsible for such charges.” (Kovacs, 2017) There have been several other chain restaurants reporting data breaches in just the past few months to include; Shoney’s, CiCi’s, Arby’s, Wendy’s and Noodles & Company.

References

Kovacs, E. (2017, April 26). Chipotle Investigating Payment Card Breach. Retrieved from Security Week: http://www.securityweek.com/chipotle-investigating-payment-card-breach

CYBR650-T302
Week-6

Threat of Unicode Domain Spoofing Fix Addressed For Chrome

On Wednesday April 19, 2017 Google released Chrome 58 to help address 29 known vulnerabilities. One of these vulnerabilities was known as “Unicode Domain Phishing”. The issue resides in Unicode characters in hostnames through what is called Punycode. Punycode can take characters and change them in a way to allow a hacker to spoof legitimate websites for the purpose of phishing attacks.  According to the Security week article by Ionut Arghire “The issue was also demonstrated by Avanan researchers in December 2016, when they stumbled upon live phishing attacks targeting Office 365 business email users. Using Unicode characters, attackers could create a site looking like http://www.pаypal.com/, but which actually resolved to http://www.xn--pypal-4ve.com/, thus bypassing Office 365’ anti-phishing defenses, the researchers explained.” (Arghire, 2017) 

References

Arghire, I. (2017, April 20). Chrome Addresses Threat of Unicode Domain Spoofing. Retrieved from Security Week: http://www.securityweek.com/chrome-addresses-threat-unicode-domain-spoofing

CYBR650-T302
Week 5

Magento Flaw Exposes Vulnerability for Online Stores

Magento is an e-commerce platform that is vulnerable to hackers. It is used by more than 250,000 vendors worldwide to include Burger King and Coca-Cola. The vulnerability was found in November by the company DefenseCode. When DefenseCode notified Magento, they were told they were aware but it had not been addressed. After several attempts to get status on the potentially serious issue from Magento failed, DefenseCode went public with their findings.

          A new feature which allows users to add Vimeo video content to existing products can leave the system open to an attack. According to the article by Eduard Kovacs “This request method can be changed from POST to GET, allowing an attacker to launch a cross-site request forgery (CSRF) attack and upload an arbitrary file. While invalid image files are not allowed, the file is still saved on the server before it is validated.” (Kovacs, 2017)    Researchers have determined if the attacker is successful, they can gain complete control of the targeted system.  

References

Kovacs, E. (2017, April 14). Unpatched Magento Flaw Exposes Online Stores to Attacks. Retrieved from Securityweek.com: http://www.securityweek.com/unpatched-magento-flaw-exposes-online-stores-attacks

 

CYBR650-T302
Week 4

Wi-Fi flaws discovered, IPhone, Nexus, and Other Smartphones

Google Project Zero researcher Gal Beniamini has discovered vulnerabilities in Broadcom’s system-on-chip (SoC) allowing a hacker the ability the hijack cell phone’s without any interaction from the user. Broadcom Wi-Fi chips are used in many cell phone brands to include Google’s Nexus 5, 6 & 6P, IPhone 4’s and above, and most Samsung Android smartphones.

According to Gal Beniamini “An attacker who is in Wi-Fi range can exploit the security holes found by the Google researcher to take complete control of a vulnerable device without any user interaction.” (Kovacs, 2017) Broadcom was very responsive in fixing the issues and supplying the patches the affected companies.

Apple has scheduled an emergency security update for the remote code execution vulnerability. Samsung has also released a maintenance update with a Google patch and security fix for the Wi-Fi vulnerability.

References

Kovacs, E. (2017, April 5). Wi-Fi Flaws Expose iPhone, Nexus Phones to Attacks. Retrieved from Security Week: http://www.securityweek.com/wi-fi-flaws-expose-iphone-nexus-phones-attacks

CYBR650-T302
Week 3

New Mirai Variant of Infamous IoT Botnet Unleashes 54-Hour DDoS Attack

A variant of the Mirai botnet was discovered as the culprit for a 54 hour Disrupted Denial of Service (DDoS) attack against a U.S. college. Last October the Mirai botnet was one of the most talked about DoS attack in history. The Mirai botnet is a type of malware that automatically finds vulnerable Internet of Things (IoT) devices and makes them into a group of computing devices that can be centrally controlled. Once enough groups of the IoT’s have been assembled they can be used to launch a DDoS attack releasing large amounts of traffic on a targets servers.

Since the Mirai botnet source code was leaked several new variants have surfaced. One version attacked 2400 TalTalk Telcom home routers in the UK, a new windows variant has been found that would spread the Linux Trojan to other IoT devices. More than 900,000 Deutsche Telekom customers in Germany internet service was disrupted. Researchers have recently found that 80 models of Sony cameras are vulnerable to a Mirai takeover. 

According to Security Week magazine “On Feb. 28, the new Mirai threat was used to launch a DDoS attack against a US college, and researchers say that the assault continued for 54 hours straight. The average traffic was of over 30,000 requests per second (RPS) and peaked at around 37,000 RPS, the highest of any Mirai botnet (the attack generated a total of over 2.8 billion requests).” (Arghire, 2017)

References

Arghire, I. (2017, March 29). New Mirai Variant Unleashes 54-Hour DDoS Attack. Retrieved from Security Week: http://www.securityweek.com/new-mirai-variant-unleashes-54-hour-ddos-attack

Newman, L. (2016, December 09). The Botnet That Broke the Internet Isn’t Going Away. Retrieved from Wired: https://www.wired.com/2016/12/botnet-broke-internet-isnt-going-away/

Be Wary Of Cyber Security Threat Sites.

While there are many websites to find information on current threats, vulnerabilities, updates, and security news. We all need to be cautious of conflicting information. Below are some credible sites to verify information found on the internet. I have included a small excerpt from their sites.

MSDN - The greatest threat to computer systems and their information comes from humans, through actions that are either malicious or ignorant. When the action is malicious, some motivation or goal is generally behind the attack. (MSDN, 2017)

Symantec - Symantec sees more threats, and protects more customers from the next generation of attacks. (Symantec, 2017)

US-CERT (United States Computer Emergency Readiness Team) - The US-CERT Current Activity web page is a regularly updated summary of the most frequent, high-impact types of security incidents currently being reported to the US-CERT. (US-CERT, 2017) US-CERT is a division of the Department of Homeland Security

Security Week Magazine - SecurityWeek provides authoritative news and columns from information security expert and is a trusted source of information and insight to senior level information security executives, researchers and service providers. SecurityWeek content and resources focus on security strategies, techniques, research and statistics. Other coverage includes online privacy and compliance, cybercrime, and other security trends. (Security Week, 2017)

References

MSDN. (2017). Security Threats . Retrieved from Developer network: https://msdn.microsoft.com/en-us/library/cc723507.aspx#XSLTsection122121120120

Security Week. (2017). Virus & Threats. Retrieved from Security Week: http://www.securityweek.com/virus-threats

Symantec. (2017). About Symantec. Retrieved from Symantec: https://www.symantec.com/about

US-CERT. (2017). Current Activity . Retrieved from US-CERT: https://www.us-cert.gov/ncas/current-activity

CYBR650 Current Trends in Cybersecurity

CYBR650 Current Trends in Cybersecurity

This course presents an in-depth study of current trends in Cybersecurity threats. Discussion includes the identification and management of threats and vulnerabilities within an effective enterprise security program. Prior Cybersecurity education is synthesized through projects and assignments.

This will be my 11th class towards a Master's in Cyber Security (one more to go!!!).

During this semester I will post articles that I hope will be of interest. I normally look for new technologies or exploits that have not made a big splash on the news but people need to know about.