This website is the Premier Source For IT Security Information. Its mission is to share cutting edge knowledge, real world stories and awards on the best ideas, products and services in the information technology industry.
The Justice Department announced an effort to disrupt the VPNFilter botnet of hundreds of thousands of infected home and office (SOHO) routers and other networked devices under the control of a Russia-linked APT group.
Yesterday Talos and other security firm revealed the discovery of a huge botnet tracked as VPNFilter composed of more than 500,000 compromised routers and network-attached storage (NAS) devices, now more details emerged on the case.
The experts believe the VPNFilter was developed by Russia, the associated malware compromised devices across 54 countries, most of them in Ukraine.
On May 8, Talos researchers observed a spike in VPNFilter infection activity, most infections in Ukraine and the majority of compromised devices contacted a separate stage 2 C2 infrastructure at the IP 46.151.209[.]33.
The experts discovered the VPNFilter malware has infected devices manufactured by Linksys, MikroTik, Netgear, QNAP, and TP-Link.
The US Justice Department announced it had seized a domain used as part of the command and control infrastructure, it explicitly refers the Russian APT groups (APT28, Pawn Storm, Sandworm, Fancy Bear and the Sofacy Group) as the operators behind the huge botnet,
“The Justice Department today announced an effort to disrupt a global botnet of hundreds of thousands of infected home and office (SOHO) routers and other networked devices under the control of a group of actors known as the “Sofacy Group” (also known as “apt28,” “sandworm,” “x-agent,” “pawn storm,” “fancy bear” and “sednit”).” reads the press release published by the DoJ.
“Today’s announcement highlights the FBI’s ability to take swift action in the fight against cybercrime and our commitment to protecting the American people and their devices,” said Assistant Director Scott Smith. “By seizing a domain used by malicious cyber actors in their botnet campaign, the FBI has taken a critical step in minimizing the impact of the malware attack. While this is an important first step, the FBI’s work is not done. The FBI, along with our domestic and international partners, will continue our efforts to identify and expose those responsible for this wave of malware.”
The VPNFilter botnet targets SOHO routers and network-access storage (NAS) devices and uses several stages of malware. The experts highlighted that the second stage of malware that implements malicious capabilities can be cleared from a device by rebooting it, while the first stage of malware implements a persistence mechanism.
The Justice Department had obtained a warrant authorizing the FBI to seize the domain that is part of the command and control infrastructure of the VPNFilter botnet.
Technically the operation conducted by the US authorities is called “sink holing,” the seizure of the domain will allow law enforcement and security experts to analyze the traffic associated with the botnet to gather further info on the threat and temporarily neutralize it.
“In order to identify infected devices and facilitate their remediation, the U.S. Attorney’s Office for the Western District of Pennsylvania applied for and obtained court orders, authorizing the FBI to seize a domain that is part of the malware’s command-and-control infrastructure.” continues the DoJ.
“This will redirect attempts by stage one of the malware to reinfect the device to an FBI-controlled server, which will capture the Internet Protocol (IP) address of infected devices, pursuant to legal process. A non-profit partner organization, The Shadowserver Foundation, will disseminate the IP addresses to those who can assist with remediating the VPNFilter botnet, including foreign CERTs and internet service providers (ISPs).”
The owners of the compromised SOHO and NAS devices should reboot their devices as soon as possible, the operation will temporarily remove the second stage malware and will cause the first stage malware to connect the C&C domain for instructions.
“Although devices will remain vulnerable to reinfection with the second stage malware while connected to the Internet, these efforts maximize opportunities to identify and remediate the infection worldwide in the time available before Sofacy actors learn of the vulnerability in their command-and-control infrastructure.” continues the DoJ.
Experts are particularly concerned by the destructive features implemented by the malware that could allow attackers to burn users’ devices to cover up their tracks.
Part of the cyber security community believes that the botnet could be used to launch a massive attack during the Ukrainian celebration of the Constitution Day, last year the NotPetya wiper attack was launched on the same period.
Both Justice and Cisco said they were releasing details of the problem before having found a strong, permanent fix. Justice said that by seizing control of one of the domains involved in running VNPFilter, it will give owners of infected routers a chance to reboot them, forcing them to begin communicating with the now-neutralized command domain.
The vulnerability will remain, Justice said, but the move will allow them more time to identify and intervene in other parts of the network.
Yesterday AMD, ARM, IBM, Intel, Microsoft and other major tech firms released updates, mitigations and published security advisories for two new variants of Meltdown and Spectre attacks.
Spectre and Meltdown made the headlines again, a few days after the disclosure of a new attack technique that allowed a group of researchers to recover data from the System Management Mode (SMM) memory, IT giants release security updates and mitigations for two new variants of the speculative execution attack methods.
Let’s make a recap of the of the two flaws:
The Meltdown and Spectre attacks could be exploited by attackers to bypass memory isolation mechanisms and access target sensitive data.
The Meltdown attack could allow attackers to read the entire physical memory of the target machines stealing credentials, personal information, and more.
The Meltdown exploits the speculative execution to breach the isolation between user applications and the operating system, in this way any application can access all system memory.
The Spectre attack breaks the isolation between different applications, allowing to leak information from the kernel to user programs, as well as from virtualization hypervisors to guest systems.
Meltdown attacks trigger the CVE-2017-5754 vulnerability, while Spectre attacks the CVE-2017-5753 (Variant 1) and CVE-2017-5715 (Variant 2). According to the experts, only Meltdown and Spectre Variant 1 can be addressed via software, while Spectre Variant 2 required an update of the microcode for the affected processors. Software mitigations include.
In February white hat hackers at Google Project Zero and Microsoft discovered a new attack dubbed Variant 4 (CVE-2018-3639).
In May, a German website revealed that Intel along other vendors had been working on security updates for a new set of 8 of Spectre vulnerabilities, so-called “Spectre-NG.”
The new eight Spectre-NG vulnerabilities in Intel CPUs also affect some ARM processors, at the time of writing the researchers only disclosed to the German computer magazine Heise the partial details of the vulnerabilities, while experts speculated that they were very dangerous because easier to exploit.
Yesterday AMD, ARM, IBM, Intel, Microsoft and other major tech firms released updates, mitigations and published security advisories for two new variants of Meltdown and Spectre attacks. Both CERT/CC and US-CERT also published security advisories to warn of the new side-channel attacks.
Intel has already developed microcode that addresses both Variant 3a and Variant 4 and also distributed Beta versions to OEMs and operating system vendors. The tech giant plans to provide BIOS and software updates to its customers next weeks.
“We’ve already delivered the microcode update for Variant 4 in beta form to OEM system manufacturers and system software vendors, and we expect it will be released into production BIOS and software updates over the coming weeks.” reads the advisory published by Intel. “This mitigation will be set to off-by-default, providing customers the choice of whether to enable it. We expect most industry software partners will likewise use the default-off option. In this configuration, we have observed no performance impact. If enabled, we’ve observed a performance impact of approximately 2 to 8 percent based on overall scores for benchmarks like SYSmark® 2014 SE and SPEC integer rate on client1 and server2 test systems.”
The bad news is that the security updates can cause a degradation of the performance.
AMD declared that Variant 3a does not affect its chips, while patches for Variant 4 should be expected from Microsoft and Linux distributions.
Microsoft is still assessing its products, but it declared that they are not affected by Variant 4.
“However, Microsoft Edge, Internet Explorer, and other major browsers have taken steps to increase the difficulty of successfully creating a side channel.” states the security advisory published by Microsoft.
“At the time of publication, we are not aware of any exploitable code patterns of this vulnerability class in our software or cloud service infrastructure, but we are continuing to investigate. Microsoft will implement the following strategy to mitigate Speculative Store Bypass.”
As for Variant 3a, says explained that the only way to mitigate the issue it through a microcode/firmware update and not an operating system update.
IBM has released both security patches for both firmware and OS to address the Variant 4 in the Power Systems series.
“In May 2018, a fourth variant was identified, CVE-2018-3639. This variant is another instantiation of a side-channel information disclosure attack.” reads the advisory published by IBM.
“Mitigation of these vulnerabilities for Power Systems clients involves installing patches to both system firmware and operating systems. Both the firmware and OS patches are required for the mitigation to be effective against these vulnerabilities and the latest firmware and OS patches incorporate mitigations for the fourth variant.”
A team of security researchers from Chinese firm Tencent has discovered 14 security vulnerabilities in several BMW models.
Researchers from the Tencent Keen Security Lab have discovered 14 vulnerabilities affecting several BMW models, including BMW i Series, BMW X Series, BMW 3 Series, BMW 5 Series, and BMW 7 Series.
The team of experts conducted a year-long study between January 2017 and February 2018. They reported the issues to BMW and after the company started rolling out security patches the researchers published technical details for the flaws.
“we systematically performed an in-depth and comprehensive analysis of the hardware
and software on Head Unit, Telematics Control Unit and Central Gateway Module of multiple BMW vehicles.” reads the report published by Tencent Keen Security Lab.
“Through mainly focusing on the various external attack surfaces of these units, we discovered that a remote targeted attack on multiple Internet-Connected BMW vehicles in a wide range of areas is feasible, via a set of remote attack surfaces (including GSM Communication, BMW Remote Service, BMW ConnectedDrive Service, UDS Remote Diagnosis, NGTP protocol, and Bluetooth protocol).”
According to the experts, the vulnerabilities affect car produced from the year 2012. White hat hackers focused their tests on the infotainment and telematics systems of the vehicles.
Eight of the vulnerabilities impact the infotainment system, four issues affect the telematics control unit (TCU), and two the central gateway module.
The TCU provides telephony services, accident assistance services, and implements remote controls of the doors and climate. The central gateway receives diagnostic messages from the TCU and the head unit and sends them to other Electronic Control Units (ECUs) on different CAN buses.
The experts discovered that an attacker could exploit the flaws, or chain some of them, to execute arbitrary code and take complete control of the affected component.
The experts demonstrated that a local attacker could hack BMW vehicles via a USB stick, in another attack scenario the researchers illustrated a remote hack through a software-defined radio.
Remote attacks can be conducted via Bluetooth or via cellular networks, remote hack of a BMW car is very complex to carry on because the attacker would need to hack a local GSM mobile network.
“Our research findings have proved that it is feasible to gain local and remote access to infotainment, T-Box components and UDS communication above certain speed of selected BMW vehicle modules and beenable to gain control of the CAN buseswith the execution of arbitrary, unauthorized diagnostic requests of BMW in-car systems remotely,” states the researchers.
BMW issued some security updates to the backend systems, it also rolled out over-the-air patches for the TCU. The company also developed firmware updates that will be made available to customers at dealerships.
Neither BMW nor Keen Lab have revealed the list of affected models.
BMW awarded the Keen Lab as the first winner of the BMW Group Digitalization and IT Research Award.
In July 2017, the same team of security researchers from Chinese firm Tencent demonstrated how to remotely hack a Tesla Model vehicle.
When you finish reading this article, and I recommend you read it two or three times, you will have a keen understanding of where the future of Cyber Defense is going from one of the most brilliant and successful minds in the industry.
I had the opportunity and honor to catch up with one of the most talented and innovative movers and shakers in our industry, yet someone who lives by what he preaches – the 3 H’s – Honesty, Humility and Hard-work – none other than David G. DeWalt, the founder of NightDragon Security who is also a partner at Allegis Cyber and Momentum Cyber among about 14 or 15 other ventures and activities, to name a few – he’s also Vice Chairman of Delta Air Lines as the Safety/Security board member so he is boots on the ground in critical infrastructure as well. He’s also serving on the National Security Telecommunications Advisory Council for the US Government. It was refreshing to hear David speak at the Cyber Investing Summit in New York City and then to follow it up with a one-hour deep dive into his strategies and platforms.
I assure you, this article, learning who David DeWalt is, where he is investing and what he’s predicting could be the most important piece of Cyber Defense Intel for 2018 and beyond.
Pictured Above, NightDragon Security is David’s Cybersecurity Platform. More on this later in the article…
WE NEED TO LOOK BACK BEFORE WE CAN MOVE AHEAD A brief backgrounder on Dr. David G. DeWalt
Let’s go back in time and then work our way into not only the present, but the future – David takes us on an incredible journey but before we strap ourselves in for what will be an incredible and wild ride into the future of cyber defense, we need to understand where it all started for David.
He has more than 30 years of high tech experience. I think his three H’s come from a great upbringing by what most would consider a blue-collar family in the Steel and Coal mining belt of Pennsylvania. He grew up in Reading, PA and with the love and inspiration from great parents, he began his journey, always reflecting on where he came from, keeping his humility intact even after some of the most amazing accomplishments in our space.
Our discussion reminded me of a common thread with great people like Robert Herjavec – always questioning and learning and maintaining a high degree of honesty and humility while always willing to put in the long and hard hours. It seems that we can learn from these successful pioneers in our industry – great minds and successful individuals do think alike and usually start from humble beginnings.
Pictured above, hard work, dedication and perseverance he receives his PhD
A few years ago, David had the honor of giving the commencement speech at the University of Delaware and from this speech we’re able to learn a lot about David DeWalt. It was May 30, 2015–David G. DeWalt, chief executive officer and chairman of the board of FireEye Inc., delivered the Commencement address at the University of Delaware, where he graduated in 1986. At the ceremony, he also was awarded an honorary doctor of science degree.
One of David’s favorite quotes comes from the song by OneRepublic, I Lived… “Hope when your moment comes, you say, ‘I lived.’ With every broken bone, as the lyric goes, “I swear I lived.” David, as his Dad would say, ‘wrastled’ his way through college – he was in the 177-pound weight class. Wrestling is a very demanding sport — lots of sacrifices, very few rewards.
Now, Dr. David G. DeWalt is 6 feet and 4 inches and back then he weighed about 220 pounds, so the 177-pound weight was very difficult for him to maintain. Oftentimes he had to go without food and water for days trying to make this number. Oftentimes, he would have to work out countless hours with layers of sweat suits on to make this number. He suffered enormous hardships during his wrestling career, including breaking his collarbone, dislocating his shoulder, two knee surgeries, cauliflower ear and even losing his front teeth participating in this sport. Swap this coach for David’s wrestling coach and swap the sport from Football to Wrestling and you’ll understand Dr. David G. DeWalt’s philosophy on life, business, blood, sweat and tears. “You are the most influential player on this team, if you walk around defeated, so will they…Don’t tell me you can’t give me more than I was seeing. God’s gifted you with the ability of leadership, don’t waste it.”
Photo Source Bluehens.com – One of the finest wrestlers in Blue Hens history, DeWalt was inducted into the University of Delaware Athletics Hall of Fame in 2003
Through it all, he wrestled 110 matches for the University and won 101 of them – with his parents watching every single match. His parents taught him much about patience and perseverance. They drove 20 hours up to Boston and back to Reading PA just to watch him wrestle against Yale and Boston University. He finished his matches in under a minute. Think about it. Less than a minute, winning both matches but 20 hours of driving to watch him. We could all learn a lot from David’s parents. This kind of dedication breeds winners and leaders – the more involved in our children’s lives, the less we will have to worry about their future – it’s an incredible investment – and yes, it takes a great deal of self-less-ness but as David learned and shares, this is one of his strong beliefs that he intends to pass on to his children.
He finally stood on the podium that day, in front of 16,000 fans at the University of Iowa Hawkeye stadium — as an NCAA Division I All-American, the first ever from the University of Delaware. The blood, sweat, and tears of 16 years of hard work, perseverance, dedication and determination had paid off.
“You have to take a leap if you want to attain your goals. I had achieved one of my goals. And there, up in the third deck, were my parents. Always there, always supportive. To this day, I will fly from wherever I am in the world to see my kids perform. Whatever it is they do, I will be there like my parents were for me. Love, live and remember humility is everything. Remember where you are from and don’t ever forget what your loved ones have done for you. Be present. Always alive. Always live on the edge of tears. Always push yourself to be better,” he said at this very memorable and timeless commencement speech.
Words to live by.
Moving forward, David DeWalt graduated with a computer science degree in hand, he decided to pack up his bags and move to California to continue to reach his goals and strive for his dreams. His father thought he was crazy and would be back to Reading, PA, soon. His dad said “California, what’s out there?” And David responded, “Opportunity, Dad. You wait and see.”
So, he drove his little blue Pontiac T-1000car across the country and decided to stay in the heartland of opportunity – Silicon Valley, California! There he was, no job, no friends, 3,000 miles away, when he began his high-tech career.
So, now you can understand his three H’s – Honesty, Humility and Hard-work.
Starting with nothing, risking everything, he made it to Silicon Valley. He interviewed with a now famous man named Tom Siebel at a company called Oracle. Tom ran a division called DMD that did direct marketing and tele-sales. During his interview, Tom told him how people with engineering degrees usually fail at sales and don’t have what it takes. David said, “give me a chance – hire me and I’ll prove I can do it”. His dad wasn’t so pleased – an engineering degree apparently going to waste. What David did, was prove them both wrong – like the “Larry Bird” era of the Boston Celtics, David was the first in and the last out every day. This is what made Larry Bird so great and so famous. He also had the humility to admit he wasn’t the greatest or the best, but he was the hardest working at his job. And because of this passion and drive, he became one of the very best at his job. He made his numbers, he became the top sales earner at Oracle. He was promoted 5 times during his career there and learning valuable life lessons along the way.
Pictured Above, Quotable from Dr. David G. DeWalt
Fast forward – greatest failures, leading to greatest successes. The day was April 21, 2010. David DeWalt was proudly the CEO of computer security company McAfee. On this day, he received an urgent call at 6 a.m. to quickly come into the office. As he gathered together with his management team to hear the bad news, he had learned that they accidentally sent out a faulty release — number 5958 — of their anti-virus software, that McAfee had wiped out every computer in 1,672 companies in 16 minutes.
“When I say wiped out, this is an understatement. Entire companies were unable to boot any computers. Entire companies were unable to operate their businesses. In an effort to stop a particularly nasty threat from a government nation state source, we had accidentally shutdown all the computers that updated with our software that morning,” he said.
Fortunately for McAfee, one of their engineers realized the mistake and rolled the release back, and in the process kept tens of thousands of more companies from updating the faulty release as well.
FORGET LAWYERS AND BREACH NOTIFICATION ACTS: DO THE RIGHT THING It’s so important to always tell the truth. Take ownership. Be honest.
Subsequently, he made an incredibly important decision that day. As the news leaked out and McAfee and his face being prominently displayed on nearly every TV in the world, as their stock dropped 40 percent, decisions needed to be made. Not a good day if you are a CEO. But, in adversity there are always true tests of leadership, and this day was one of those for David DeWalt.
As swarms of media gathered in his lobby for a statement, he made an important corporate video. Against the advice of every lawyer that could reach him, he decided to quickly publicly air what had happened. He took full responsibility for the actions of his company and apologized to everyone for harming them. He explained how they had worked all night to fix a virus but instead they had made a huge mistake. This video spread virally everywhere. But a funny thing happened. Instead of making things worse and getting sued, customers and partners became empathetic. The more the media tried to sensationalize it, the more empathy David and his team at McAfee received.
David ended up speaking to nearly every customer over the next few days. His office was flooded with calls from the White House, from state governors, from CEOs of many, many important companies. McAfee dispatched nearly 4,000 employees, and everyone worked together to fix the issue. Competitors piled on, but it only made things worse for them and not for McAfee. “Why hadn’t they fixed the virus themselves? Why hadn’t they worked as hard as McAfee did?” everyone was asking.
TURNING A HUGE NEGATIVE INTO AN EVEN BIGGER POSITIVE By taking ownership and working with customers, you will lead by example.
Well, on that day, one of those companies was Intel Corp.: 70,000 computers wiped out. Employees had to stand in line in the cafeteria for days to get their computers fixed. Three days of being down. Well, Intel is an amazing company. Instead of being a victim, they took action, working with McAfee to design a semiconductor-based architecture to never let that happen again.
Three months later, not a single customer had sued McAfee. In fact, customers spent more money with them and their stock recovered, and a mere two months later, Intel acquired McAfee for a record $7.7 billion, the largest all-cash transaction in the history of high tech. You see, David learned and continues to share this lesson with others – the most valuable of them all – Honesty.
Leadership lessons of life. Be present. Always alive. Live life on the edge of tears.
“Honesty — it’s a powerful attribute in a crisis. Hard-work, humility and honesty. The 3Hs are the foundation of my success,” said David DeWalt.
Many of you might remember how David DeWalt became CEO of Fireeye in 2012 and took it public in 2013. He and his team continued to build a multi-billion dollar valued business and even acquired Mandiant, whose founder, Kevin Mandia, is now running Fireeye. Today, Fireeye has revenues annually over $300m and assets over $2.5B.
SUMMING UP THE PAST, PREDICTING OUR CYBER DEFENSE FUTURE Building out the first Cybersecurity Platform from Inception to Exit
So, Dr. David G. DeWalt has more than 30 years of experience in the industry – over 20 years in high tech and 17 years as a CEO, as he says “68 quarters of executive leadership has given me a front row seat – it’s my love, my passion – it’s not just a job – I feel lucky and blessed.” With these blessings and successes, Dr. David G. DeWalt has taken a bird’s eye view of what happened in the past, what’s happening today and predicting where we need to be in the very near future. His main driving concern is that the lack of visibility continues to dramatically increase the risk and severity of the breaches. This also opens up a new world of investment opportunities in cyber defense innovations.
Pictured Above, Dr. David G. DeWalt’s Thoughts On Greater Risk and Severity of Breaches
According to Dr. David G. DeWalt, with the biggest gaps comes the biggest investment opportunities, – if you see a threat, you will quickly see customer spend expand, then Venture Capitalists (VCs) pouring more money into those companies and of course it’s cyclic, by the time the vendors solve it, the actors are onto new threats….
Pictured Above, Dr. David G. DeWalt’s Threat Evolution from the ‘90’s up to 2018
Dr. David G. DeWalt calls these “super cyber cycles” whereby these threat cycles drive vendor spending and investments, when he talks about biggest gaps, it’s the offense or the threat vs commercial defense.
Wherever you see the biggest gap, it opens up to the biggest opportunities; Case in point: Fireeye. Along came the super threat cyber cycle in which advanced persistent threats (APTs) – multi-stage, attack vector, we’d never seen before and the antivirus (AV) vendors did not know how to stop ‘all the objects.’ “We took the risk at Fireeye and solved this challenge – we could tear apart APTs and understand their multi-object layering and multi-stages of behavior. I knew this would be a short, 3 year window – a big gap and a big opportunity – I see similar threat cycles coming our way and I call these Cyber ‘Super Cycles’,” said Dr. David G. DeWalt.
Pictured Above, Dr. David G. DeWalt’s Idea of Cyber ‘Super Cycles’
What’s driving the perfect Cyber storm?
According to Dr. DeWalt, the speed of innovation is driving vulnerabilities everywhere, but in particular, eight key areas – Mobile, Social, Cloud, Satellite, IoT, Industrial, Physical, & Consumer. Add to this the levels of danger expanding from hacktivism to crime to espionage to terrorism to warfare. In addition, we have a tremendous increase in geo-political tensions, a complete lack of governance and law enforcement models compounded by internet anonymity. Moreover, we have legacy security providers unable to detect or prevent the next threat – hence, we’ve entered a perfect Cyber storm.
A PERFECT STORM BRINGS A PERFECT OPPORTUNITY FOR INVESTING…
Given these critical issues, Dr. David G. DeWalt has decided to form NightDragon Security as a unique Cybersecurity Platform – to drive leadership into a new world of investment opportunities in cyber defense innovations. From inception to incubation to market deployment, acceptance and potential cyber defense global dominance – his mission is to create and/or find the market leaders to help us get one step ahead of the next breach. He’s even predicting, very intelligently where those breaches will be happening – and you’d be very surprised. Today, it may be relatively easy to get to a CEO through a spear phishing attack but tomorrow, stealing his identity may happen through his home automation and internet of things (IoT) devices. Cybercriminals have already started planning on moving from drive by malware found on websites to actually driving by (whether remotely through the internet or actually pulling a proximity attack) of an executive’s property, eavesdropping on his or her insecure routers and weak home cybersecurity environment and making that the next big attack vector for cyber crime and espionage. Will the executive’s Alexa or Nest system hold up to the scrutiny of cyber criminals or their 3-year-old wireless router that came with their cable modem? Highly doubtful. This is just one tiny example of what Dr. DeWalt has discovered. Let’s read on and learn more from his key slide on the eight areas of high exploitation and high investment opportunity coming in the very near-term:
Security researchers discovered that a misconfigured server operated by the CalAmp company could allow anyone to access account data and takeover the associated vehicle.
CalAmp is a company that provides backend services for several well-known systems.
Security researchers Vangelis Stykas and George Lavdanis discovered that a misconfigured server operated by the CalAmp company could allow anyone to access account data and takeover the associated vehicle.
The experts were searching for security vulnerabilities in the Viper SmartStart system, a device that allows users to remotely start, lock, unlock, or locate their vehicles directly using a mobile app on their smartphones.
As with many other mobile applications, it used secure connections with SSL and Certificate Pinning (Hard-code in the client the certificate is known to be used by the server) to automatically reject a connection from sites that offer bogus SSL certificates.
The experts noticed that the app was connecting to mysmartstart.com domain and also to the third party domain (https://colt.calamp-ts.com/), it is the Calamp.com Lender Outlook service.
The experts discovered that using the credentials for the user created from the viper app it was possible to login the panel.
“This panel seemed to be the frontend for Calamp.com Lender Outlook service. We tried our user created from the viper app, to loginand it worked!” reads the blog post published by Stykas.
“This was a different panel which seemed to be targeted to the companies that have multiple sub-accounts and a lot of vehicles so that they can manage them.”
Further tests allowed the researchers to verify that the portal was secured, but during the assessment, the experts discovered that the reports were delivered by another dedicated server running tibco jasperreports software.
This was the first time the experts analyzed this type of server, they had to improvise and after removing all parameters they discovered they were logged in as a user with limited rights but with access to a lot of reports.
“None of us were familiar with that so we had to improvise. Removing all the parameters we found out that we were already logged in with a limited user that had access to A LOT of reports.” continues the report.
“We had to run all those reports for our vehicles right? Wellthe ids for the user was passed automatically from the frontend but now we had to provide them from the panel as an input.And…well..we could provide any number we wanted.”
The researchers gained access to all the reports for all the vehicles (including location history), and also data sources with usernames (the passwords were masked and there was no possibility to export them).
The server also allowed for the copying and editing any existing reports.
“We could not create a report or an adhocor pretty much anything else, but we could copy paste existing ones and edit them so we can do pretty much anything.Wecould also edit the report and add arbitrary XSS to steal information but this was not something that we (or anyone in their right lawful mind) would want to do.” continues the report.
The availability of all production databases on the server, including CalAmp connect device outlook, was exploited by the researchers to take over a user account via the mobile application. If the attacker knows the older password for the account can simply walk to the car, unlock it, start the engine, and possibly steal the vehicle.
According to the experts the exploitation of the flaw could allow:
Wellthe very obvious just change the user password to a known one go to the car, unlock, start and leave.
Get all the reports of where everyone was
Stop the engine while someone was driving ?
Start the engine when you shouldn’t.
Get all the users and leak.
As we haven’t actually seen the hardware we might be able to pass can bus messages thoughthe app ?
Get all the IoT devices from connectdatabase or reset a password there and start poking around.
Really the possibilities are endless…
The experts reported the issue to CalAmp at the beginning of May 2018, and the company addressed the flaw in ten days.
Cybersecurity in the City: Ranking America’s Most Insecure Metros is a first-time report issued by Coronet, a provider of enterprise-grade cloud security to companies of any size.
From December 2017 and May 2018, Coronet collected and analyzed massive amounts of data from its SecureCloud endpoint application, which consists of more than one million endpoints spanning PC, mobile and tablets. The data is derived via Coronet Threat Intelligence, the company’s proprietary data aggregator and analysis engine built to continuously study device posture, network connections and the connections of surrounding networks and cloud-services to understand new and emerging threat vectors.
Coronet Threat Intelligence collects eight terabytes of data daily, and that amount doubles every other week.
In this report you will learn:
The risk level of America’s 55 largest metros based on both threat and vulnerability identification, as well as cybersecurity resources and investments.
The organizational exposure to threats that mid-market and small businesses in each metro have when accessing cloud-services such as Office365, G-Suite, Dropbox, Salesforce and many other SaaS business apps.
The differences between infrastructure risk and device risk and how each poses unique challenges to companies and their employees.
How Coronet’s SecureCloud brings enterprise grade security to any size company, protecting cloud apps from unauthorized access, data theft, and malware spread.
With the unique ability to extract and analyze data from both access controls and cloud controls, Coronet Threat Intelligence enables analysts to follow the evolution of attacks from vulnerability stage to the actual attack execution. Because of this visibility, Coronet can identify attackers, threats and vulnerabilities with extremely high accuracy, even among the most sophisticated and stealthy attacks. In total, the Coronet Threat Intelligence engine produces the most accurate and actionable data in the cybersecurity industry; correlated, highly-contextual data that is both geo-tagged and accessible in real-time. The link to the full report is here: http://coro.net/threatcity/
With all eyes on privacy rights, forward-looking businesses are re-examining their social media, e-commerce and data mining strategies and looking for new ways forward. Motivating factors include the Facebook Cambridge Analytica scandal and the European Union’s General Data Protection Regulation (GDPR) which goes into full effect May 25, 2018. The takeaway – learn to play by the new rules or suffer the consequences.
Your company is probably wondering where it will find the leadership to help them avoid the landmines ahead in this new GDPR world order. Shifting the focus of ownership of data back to individuals is a boon for citizens, but it’s a nightmare for today’s companies and organizations that must comply regardless of their physical location as their sprawling global digital footprints expand.
Programs like Brown University’s Executive Master in Cybersecurity (EMCS) are preparing professionals to meet these demands. Tailored for industry professionals, over the course of 18-months program students broaden their skillset beyond their area of expertise to develop global, cybersecurity strategies that span IT, policy, human factors, and privacy.
They accumulate this knowledge by studying with Brown’s leading academics across policy and technology, and engaging with industry luminaries that makeup the program’s all-star speaking list. Professional students – who hail from various functions, industries and geographies – also gain insights into each other’s efforts to get ahead of not only digital attacks but a rapidly evolving regulatory environment.
In this unique program, students tackle a variety of challenging material. A sampling of courses may look like this:
Applied Cryptography and Data Security with Brown University Computer Science Professor Anna Lysyanskaya— a leading thinker in the area of encryption and anonymity.
Global Cyber Challenges: Law, Policy, and Governance with Brown University Watson Institute Senior Fellow Tim Edgar, who served as the first Director of Privacy on the White House National Security Staff under the Obama Administration.
Privacy and Personal Data Protection with Brown Adjunct Professor Deborah Hurley, and a fellow of the Institute for Quantitative Social Science, Harvard University
Students such as Michael Mangold EMCS ’19, senior manager at Deloitte & Touche, LLP, are leading the way in GDPR compliance practices. In his role, Mangold works with Fortune 100 companies as they wrestle with the scope, strategy and program components for GDPR compliance. Mangold discussed the role EMCS’ interdisciplinary curriculum played in helping him lead through this tumultuous regulatory environment.
“EMCS is built around a recognition that strategy is the best security. It leverages this pedagogical approach to pull together the technical, legal, and business elements of cybersecurity. It has been an incredible experience that enables me to take my consulting game to the next level.”
To ensure you have the critical skills needed to be a cybersecurity leader, learn more about the Brown University Executive Master in Cybersecurity, an 18-month program for professionals designed to cultivate high-demand industry executives with the unique ability to devise and execute integrated, comprehensive cybersecurity strategies.
The head of the Mexican central bank, Alejandro Diaz de Leon announced this week that hackers were involved in shadowy transfers of between $18 million and $20 million.
Mexican central bank is the last victim of the SWIFT hackers, officials at the bank confirmed this week that hackers hit the payments system and stole millions of dollars from domestic banks.
The attack was discovered in late April and presents many similarities with past attacks against the SWIFT systems.
The Mexican central bank did not disclose the name of the banks that were hit by the cyber attack and did not detail the overall amount of money that crooks have stolen.
According to Alejandro Diaz de Leon, head of Mexico’s central bank, crooks were able to complete illicit transactions of $18 million to $20 million.
“Central bank Governor Alejandro Diaz de Leon said on Monday that the country had seen an unprecedented attack on payment system connections and that he hoped that measures being taken would stop future incidents.” reportedthe Reuters.
“A source close to the government’s investigation said more than 300 million had been siphoned out of banks, but it was not clear how much had subsequently been taken out in cash withdrawals.”
According to reports, Mexico’s central following the latest cyber attacks has created a cybersecurity division, and it has instituted a one-day waiting period on electronic funds transfers of more than $2,500.
“Perhaps, some financial institutions perceived the attacks in Bangladesh as something very distant,” said Alejandro Diaz de Leon who believes that some Mexican banks may not have invested in sufficientsecurity measures.
“But criminals look for vulnerability and once they see it they are going to exploit it.”
Mexican depositors won’t be affected, but the overall losses for the local banks could be greater than initially thought.
Nethammer attack technique is the first truly remote Rowhammer attack that doesn’t require a single attacker-controlled line of code on the targeted system.
A few days ago security experts announced the first network-based remote Rowhammerattack, dubbed Throwhammer. The attack exploits a known vulnerability in DRAM through network cards using remote direct memory access (RDMA) channels.
Rowhammer is classified as a problem affecting some recent DRAM devices in which repeatedly accessing a row of memory can cause bit flips in adjacent rows, this means that theoretically, an attacker can change any value of the bit in the memory.
The issue has been known at least since 2012, the first attack was demonstrated in 2015 by white hat hackers at Google Project Zero team.
To better understand the Rowhammer flaw, let’s remember that a DDR memory is arranged in an array of rows and columns. Blocks of memory are assigned to various services and applications. To avoid that an application accesses the memory space reserved by another application, it implements a “sandbox” protection mechanism.
Bit flipping technique caused by the Rowhammer problems could be exploited to evade the sandbox.
A separate group of security researchers has now demonstrated another network-based remote Rowhammer attack dubbed Nethammert, that leverages uncached memory or flush instruction while processing the network requests.
“Nethammeris the first truly remote Rowhammer attack, without a single attacker-controlled line of code on the targeted system. Systems that use uncached memory or flush instructions while handling network requests, e.g., for interaction with the network device, can be attacked using Nethammer” reads the research paperpublished by the experts.
The research team was composed of academics from the Graz University of Technology, the University of Michigan and Univ Rennes.
The Nethammer technique can be exploited by attackers to execute arbitrary code on the targeted system by rapidly writing and rewriting memory used for packet processing.
The attack is feasible only with a fast network connection between the attacker and victim.
“We demonstrate that the frequency of the cache misses is in all three cases high enough to induce bit flips. We evaluated different bit flip scenarios.” continues the paper.
“Depending on the location, the bit flip compromises either the security and integrity of the system and the data of its users, or it can leave persistent damage on the system, i.e., persistent denial of service.”
This process results in a high number of memory accesses to the same set of memory locations, which could induce disturbance errors in DRAM and causes memory corruption by unintentionally flipping the DRAM bit-value.
Data corruption resulting from the operations can be exploited by the attackers to gain control over the victim’s system.
“To mount a Rowhammer attack, memory accesses need to be directly served by the main memory. Thus, an attacker needs to make sure that the data is not stored in the cache.” continues the attacker.
“An attacker can use the unprivileged clflush instruction to invalidate the cache line or use uncached memory if available.”
The experts highlighted that caching makes the attack more difficult, so they devised some techniques to bypass the cache and direct access to the DRAM to cause the interference.
The experts successfully demonstrated three different cache bypasses for Nethammer technique:
A kernel driver that flushes (and reloads) an address whenever a packet is received.
Intel Xeon CPUs with Intel CAT for fast cache eviction
Uncached memory on an ARM-based mobile device.
The experts observed a bit flip every 350 ms demonstrating that it is possible to hammer over the network if at least two memory accesses are served from main memory, they successfully induced the interference by sending a stream of UDP packets with up to 500 Mbit/s to the target system.
The Nethammer attack technique does not require any attack code differently from the original Rowhammer attack.
Unfortunately, any attack technique based on the Rowhammer attack is not possible to mitigate with software patched, to solve the issues, it is necessary to re-design the architecture of the flawed components, meantime threat actors can start exploiting the Rowhammer technique in the wild.
Stopping the #1 Source of Exploitation: Spear Phishing in Depth
Again, Inky® receives another award, two years in a row. You’re still wondering who they are and why they are so important? First, let’s review their name, who their founder is and what problem they are working on solving using artificial intelligence (a.i.), machine learning and ‘big cloud’ data.
So, at first, I was wondering why the company wasn’t called FireSHIELD or SteelBlue or some other also-ran InfoSec name. So my first question – why the name Inky®?
Figure 1: Dave Baggett, CEO/Founder Inky®
Dave Baggett has a very cool answer…he said to me, ‘think about Octopus going fishing…they hit them with their ink to confuse the senses and then they easily capture the fish. So as you can see from the cartoon, the Octopus uses it’s big brain to outsmart the fish – and that’s what Inky is doing to phishing attacks…outsmarting them.
Inky makes Phish Fence to capture the worst of the worst and nearly all phishing attacks. Phish Fence acts like a phishing expert sitting next to each user, analyzing that person’s mail. Users simply click the black Inky icon and a side panel displays the analysis. This significantly reduces the chance that an employee will fall for a phishing scam.
About The Founder of Inky®
Dave Baggett is not a first timer at this, he grew his last company to a $700M valued acquisition – sold to Google – which did, wait for it, a.i., machine learning and big cloud data analysis – just for a completely different purpose – so he and his team absolutely have a leg up when it comes to innovating in the field of anti-phishing. This last company that he founded leveraged Dave’s expertise in machine learning and huge data set analysis in real-time. Taking that big data set analysis knowledge, artificial intelligence and machine learning into Inky, is a perfect transition. Dave’s team is looking to go faster than the latest phishing exploit and he knows that machine learning is the way to go. He’s bright, passionate and doesn’t need to be working at this – he could be on a beach somewhere in early retirement. However, he is a serious entrepreneur who wants to create something of lasting value – to solve a huge problem that affects all of us. This is his mission and he’s the real deal. I’d say he’s a time-based security market leader – this is my favorite model because it works – be faster than the exploitation of the vulnerability and you win. Humans just can’t do it anymore. This is also a worthy use of AI, where machines don’t replace us, they augment us and provide real-time expertise when we need it. Dave and his team at Inky are doing just that with their Phish Fence solution.
According to Cyber Defense Magazine, Global Cybercrime will reach $5 Trillion by 2020. Most of these breaches happen through email. It all starts with a spear phishing attack whereby a trusting user, the victim, clicks a link or opens an attachment in an email that appears to come from someone they trust. Spear phishing is becoming so sophisticated that even the best anti-phishing systems have not been able to detect the latest threats. Enter Inky and Phish Fence – they discover the most challenging and well-structured spear phishing attacks that other vendors cannot touch.
MOST BREACHES CAUSED BY SPEAR PHISHING ATTACKS:
“The biggest form of cybercrime is spear phishing and remote access trojans (RATs), but most users quickly forget their anti-phishing training – it requires a completely new approach and Inky brings it to the table” said Gary S. Miliefsky, Publisher of Cyber Defense Magazine and Cybersecurity Expert. Just watch this video to see:
Hackers steal up to $1B from more than 100 banks - YouTube
So, Inky developed Phish Fence as a unique new solution that protects Outlook users against spear phishing and other email-based attacks. It’s the first anti-phishing solution that works as an add-in right within Outlook. It gives your users detailed information about email-based threats, providing both protection and training.
Figure 2: Screenshot of Inky’s Phish Fence plugin running inside Outlook
Inky Phish Fence can be deployed either as an email plugin for Outlook or Gmail or through an inline gateway model with rules for mail delivery and warnings. Thus, instead of a side pane plugin, warning users about a spear phishing attack, Inky Phish Fence can redirect emails away from users or add a warning to the body of the suspicious email so users know, from inside the email, that it’s suspicious and risky.
Inky Phish Fence analyzes the full HTML contents of each mail live when the user views the mail in Outlook. Machine learning algorithms spot misleading links, attempts to impersonate major brands, suspicious uses of typo and Unicode domain name variants, and sources of questionable content like gambling, malware/adware and trackers. Inky also flags external emails that claim to be from internal senders.
Everyone’s talking about how hot the future of Cybersecurity will be when vendors start adding ‘artificial intelligence’ and machine learning. Inky has already done it. They are light years ahead of competition.
For example, if you haven’t checked it out yet, there’s a standard for email you should be looking at called DomainKeys Identified Mail (DKIM), which allows senders to associate a domain name with an email message, thus vouching for its authenticity. The mail server signs the email with a digital signature in a field that’s added to the message header. What’s really cool is that when the signature is generated, the public key used to generate it is stored at the listed domain. After receiving the email, the recipient Mail Transfer Agent (MTA) can verify the DKIM signature by recovering the signer’s public key through the Domain Name Service (DNS). It then uses that key to decrypt the hash value in the email’s header and simultaneously recalculate the hash value for the mail message it received. If both match, then the email has not been altered. This gives users some security knowing that the email did originate from the listed domain and that it has not been modified. Signatures are set to expire to avoid the attack vector of reusing a signed email, so signatures are set to expire.
Figure 3: Screenshot of Inky’s Phish Fence Warning Message
Unfortunately, the current widely implemented standard, DomainKeys Identifed Mail (DKIM), can only verify the server, not the individual, from which an email arrived. DKIM specifies one key per server. That’s fine if the server is, say, bankofamerica.com, but what if a spoofer sent from bankofarnerica.com? The combination of “r+n” looks closely like an “m”, especially in some san serif fonts such as Arial. Inky Phish Fence is smart enough to catch this among many other newer forms of intelligent phishing attacks.
Those ‘last generation’ anti-phishing solutions protect against malware attachments and spam, which is important. They sometimes claim to deal with phishing, but they only recognize phishing attacks via URLs that people have previously reported. Cisco Umbrella, for example, relies on the PhishTank database of reported phishing URLs. Unfortunately, this approach doesn’t work on the large and growing array of phishing attacks that have never been reported, have URLs uniquely targeting recipients, or lack URLs entirely (such as spear phishing wire fraud emails).
I’ve been a strong proponent of user training and awareness and have recommended PhishMe on numerous occasions. However, we find that after training, many users are easily co-opted, yet again. What I like even more is how Inky Phish Fence is not simulation – it’s real-time security. It gives end-users and IT staff specific feedback on real email they’ve received. Lately, the most recent phishing attacks look no different to the human eye than legitimate messages. So, it’s time someone solved this problem.
This next wave of phishing attacks includes forgeries that are visually indistinguishable from the brands they are attempting to impersonate. Attackers are using domain names, URLs, and logo imagery that humans cannot differentiate from the real thing. An example is the recent attack using the domain bankofarnerica.com (note the letter M has been replaced by the visually similar RN sequence). This kind of differences so subtle that even trained cyber security experts have a hard time spotting it. The bottom line is: no amount of training can make users see something that isn’t there.
Uniquely, Inky Phish Fence anti-phishing engine performs content checks to identify these attacks. Phish Fence incorporates over two dozen content checks based on heuristics and AI, and represents the next generation phishing protection, built to address this new wave of attacks. Inky Phish Fence uses machine learning models to look at each email – the text and imagery – as a human would, to identify brand impersonation. No other solution does this, and without this protection you remain exposed to email-based phishing attacks. Finally, Inky Phish Fence both protects and educates users. Gateway solutions simply quarantine mail that fails their checks, leaving users confused about what happened. Inky Phish Fence gives users feedback they can understand about exactly what seems suspicious.
We’re pleased to announce that Inky makes our Editor’s Choice for Deap Sea Phishing as an InfoSec Innovators for 2018 because they have uniquely solved a huge problem way beyond the normal capabilities of any anti-phishing solution we’ve seen. Like most really cool startups, Inky® chose to spend a lot of time in stealth mode building out the technology. They setup shop at Rockville Maryland’s Innovation Hub at 155 Gibbs Street, Rockville, MD 20850. You can reach Dave and his team Toll Free at 1-833-727-INKY (4659) or via email at firstname.lastname@example.org and at https://inky.com.